Using a forward to a native j_security_check is indeed an easy way to use the servlet container provided security features. But on the other hand, you're mixing JSF with non-JSF stuff. I was more thinking of using a servlet filter to do the client-login into the security domain when the username and password has been set on the session as attributes. That way the error reporting on a failed login "stays within JSF". Any suggestions here? View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3988168#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...